Gentoo Archives: gentoo-announce

From: Pierre-Yves Rofes <py@g.o>
To: gentoo-announce@l.g.o
Cc: full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200801-22 ] PeerCast: Buffer overflow
Date: Wed, 30 Jan 2008 23:22:19
Message-Id: 47A105D2.3030904@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200801-22:02
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 http://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: High
11 Title: PeerCast: Buffer overflow
12 Date: January 30, 2008
13 Updated: January 30, 2008
14 Bugs: #202747
15 ID: 200801-22:02
16
17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
18
19 Synopsis
20 ========
21
22 A buffer overflow vulnerability has been discovered in PeerCast.
23
24 Background
25 ==========
26
27 PeerCast is a client and server for P2P-radio network
28
29 Affected packages
30 =================
31
32 -------------------------------------------------------------------
33 Package / Vulnerable / Unaffected
34 -------------------------------------------------------------------
35 1 media-sound/peercast < 0.1218 >= 0.1218
36
37 Description
38 ===========
39
40 Luigi Auriemma reported a heap-based buffer overflow within the
41 "handshakeHTTP()" function when processing HTTP requests.
42
43 Impact
44 ======
45
46 A remote attacker could send a specially crafted request to the
47 vulnerable server, possibly resulting in the remote execution of
48 arbitrary code with the privileges of the user running the PeerCast
49 server, usually "nobody".
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time.
55
56 Resolution
57 ==========
58
59 All PeerCast users should upgrade to the latest version:
60
61 # emerge --sync
62 # emerge --ask --oneshot --verbose ">=media-sound/peercast-0.1218"
63
64 References
65 ==========
66
67 [ 1 ] CVE-2007-6454
68 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6454
69
70 Availability
71 ============
72
73 This GLSA and any updates to it are available for viewing at
74 the Gentoo Security Website:
75
76 http://security.gentoo.org/glsa/glsa-200801-22.xml
77
78 Concerns?
79 =========
80
81 Security is a primary focus of Gentoo Linux and ensuring the
82 confidentiality and security of our users machines is of utmost
83 importance to us. Any security concerns should be addressed to
84 security@g.o or alternatively, you may file a bug at
85 http://bugs.gentoo.org.
86
87 License
88 =======
89
90 Copyright 2008 Gentoo Foundation, Inc; referenced text
91 belongs to its owner(s).
92
93 The contents of this document are licensed under the
94 Creative Commons - Attribution / Share Alike license.
95
96 http://creativecommons.org/licenses/by-sa/2.5
97 -----BEGIN PGP SIGNATURE-----
98 Version: GnuPG v1.4.7 (GNU/Linux)
99 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
100
101 iD8DBQFHoQXSuhJ+ozIKI5gRAjt2AJ9DJWDt8dQGon3Ko7t/8Wd9eyxlAQCdF4m6
102 5HDWgrpZTI1V//W92M7ubFs=
103 =GdER
104 -----END PGP SIGNATURE-----
105 --
106 gentoo-announce@l.g.o mailing list